CIS_v8CIS Control 2voice-validated
CIS_v8 2: CIS Control 2
CIS_v8
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorised software is installed and can execute, and that unauthorised and unmanaged software is found and prevented from installation or execution.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1078 | 1. Attackers use valid accounts to install or execute unauthorized software. CIS Control 2 directly mitigates this by ensuring only authorized software is permitted, preventing misuse of legitimate credentials for malicious software deployment. | 90% |
| T1021 | 1. Remote services, such as RDP (T1021.001), are often exploited to gain remote access and execute unauthorized software. CIS Control 2 prevents this by restricting software execution to an approved list, even if remote access is achieved. | 80% |
| T1059 | 1. Attackers execute unauthorized commands or scripts via command shells (T1059.003). CIS Control 2 limits this by allowing only authorized executables and scripts, thereby blocking malicious command execution. | 85% |
| T1047 | 1. Windows Management Instrumentation (WMI) can execute unauthorized code or scripts. CIS Control 2 restricts this by ensuring only approved software and scripts can run, regardless of the execution method. | 80% |
| T1053 | 1. Unauthorized software establishes persistence by creating or modifying scheduled tasks (T1053.005). CIS Control 2 prevents this by blocking the execution of any unapproved software, including those configured for persistence. | 90% |
| T1037 | 1. Unauthorized software configures itself to run at system startup via registry run keys or startup folders (T1037.001). CIS Control 2 directly counters this by preventing the execution of any unapproved startup items. | 90% |
| T1015 | 1. Attackers manipulate access tokens to execute unauthorized software with elevated privileges. CIS Control 2 reduces the impact by ensuring that even with token manipulation, only approved software can run. | 75% |
| T1027 | 1. Malicious software uses packing (T1027.002) or other obfuscation to evade detection. CIS Control 2's whitelisting approach prevents execution regardless of obfuscation, focusing on authorization rather than detection. | 85% |
| T1036 | 1. Attackers rename system utilities (T1036.003) to masquerade unauthorized software. CIS Control 2 prevents this by only allowing execution of software based on its authorized identity, not just its filename. | 80% |
| T1003 | 1. Unauthorized software attempts to dump credentials from LSASS memory (T1003.001). CIS Control 2 prevents the initial execution of such credential-dumping tools, thereby protecting sensitive information. | 70% |
| T1083 | 1. Attackers use unauthorized tools for file and directory discovery. CIS Control 2 prevents the execution of these unapproved discovery tools, limiting an attacker's ability to map the environment. | 70% |
| T1046 | 1. Unauthorized software performs network service scans to identify vulnerable systems. CIS Control 2 prevents the execution of such scanning tools, reducing the risk of internal reconnaissance. | 70% |
| T1071 | 1. Unauthorized software communicates with C2 servers using common web protocols (T1071.001). CIS Control 2 prevents the initial execution of this C2-enabled software, disrupting the communication chain. | 75% |
| T1041 | 1. Unauthorized software exfiltrates sensitive data over its command and control channel. CIS Control 2 prevents the execution of the exfiltration software itself, thereby protecting data from being stolen. | 75% |
| T1042 | 1. Attackers modify file associations to execute unauthorized software when specific file types are opened. CIS Control 2 prevents the execution of the unauthorized software, regardless of how it is invoked. | 70% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1038 | 1. Application whitelisting directly implements CIS Control 2 by ensuring only authorized software is permitted to execute, blocking all other applications by default. | 100% |
| M1039 | 1. Code signing verifies the authenticity and integrity of software. CIS Control 2 relies on this to ensure that authorized software has not been tampered with and that unauthorized software is not signed by trusted entities. | 90% |
| M1040 | 1. Behavior prevention on endpoints detects and blocks suspicious or unauthorized software execution attempts. This supports CIS Control 2 by providing a dynamic layer of defense against unapproved software. | 85% |
| M1028 | 1. Operating system configuration hardens the OS to restrict unauthorized software installation and execution. This aligns with CIS Control 2's goal of managing and controlling all software on the network. | 80% |
| M1047 | 1. Auditing provides visibility into software installations and executions. CIS Control 2 benefits from this by enabling detection of unauthorized software that might bypass other controls, facilitating corrective actions. | 80% |
| M1019 | 1. Endpoint denylisting prevents known malicious or unauthorized software from running. While whitelisting is preferred, denylisting complements CIS Control 2 by blocking specific threats not yet covered by a whitelist. | 75% |
Underlying weaknesses · 6
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-427 | 1. An uncontrolled search path element allows an attacker to place unauthorized executables in a search path, leading to their execution. CIS Control 2 directly mitigates this by preventing the execution of any unapproved software. | 90% |
| CWE-434 | 1. Unrestricted upload of files with dangerous types enables attackers to upload and execute unauthorized software. CIS Control 2 prevents the execution phase, even if the upload occurs, by blocking unapproved executables. | 85% |
| CWE-732 | 1. Incorrect permission assignment for critical resources allows unauthorized users to modify system files or install software. CIS Control 2 addresses the consequence by preventing the execution of such unauthorized installations. | 80% |
| CWE-269 | 1. Improper privilege management permits users or processes to gain excessive privileges, facilitating unauthorized software installation or execution. CIS Control 2 acts as a compensating control by blocking execution of unapproved software. | 80% |
| CWE-284 | 1. Improper access control fails to restrict access to software installation or execution functions. CIS Control 2 directly addresses this by enforcing strict controls over what software is allowed to run. | 80% |
| CWE-94 | 1. Improper control of code generation allows attackers to inject and execute unauthorized code. CIS Control 2 prevents the execution of this injected, unauthorized code by only allowing approved software. | 75% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0190 compute · voice-rubric self-validated